Platform
python
Component
crawl4ai
Fixed in
0.8.0
0.8.1
0.8.0
CVE-2026-26216 is a critical Remote Code Execution (RCE) vulnerability discovered in Crawl4AI versions up to 0.7.8. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to complete system compromise. The flaw resides in the /crawl endpoint's handling of the 'hooks' parameter, which is vulnerable to code injection. A patch is available in version 0.8.0.
The impact of CVE-2026-26216 is severe. Successful exploitation grants an attacker complete control over the affected Crawl4AI server. This includes the ability to execute arbitrary system commands, read and write files, exfiltrate sensitive data, and move laterally within the internal network. The lack of authentication requirements means that any external user can attempt to exploit this vulnerability. The use of import within the allowed builtins significantly expands the attacker's capabilities, enabling them to import and utilize a wide range of Python modules for malicious purposes. This vulnerability shares similarities with other code injection flaws where user-supplied input is directly executed without proper sanitization.
CVE-2026-26216 was publicly disclosed on January 16, 2026. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation and the critical severity of the vulnerability suggest a high probability of exploitation. The EPSS score is likely to be assessed as high. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
The primary mitigation for CVE-2026-26216 is to immediately upgrade Crawl4AI to version 0.8.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the /crawl endpoint using a Web Application Firewall (WAF) or proxy to block requests with suspicious 'hooks' parameters. Carefully review and sanitize all user-supplied input before processing it. Monitor system logs for unusual activity, particularly related to Python execution or file access. After upgrading, confirm the vulnerability is resolved by attempting a controlled exploit attempt (e.g., sending a benign payload through the /crawl endpoint and verifying it is not executed).
Actualice Crawl4AI a la versión 0.8.0 o posterior. Esta versión corrige la vulnerabilidad de ejecución remota de código. Se recomienda revisar las notas de la versión 0.8.0 para obtener más detalles sobre la corrección.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26216 is a critical Remote Code Execution vulnerability in Crawl4AI versions up to 0.7.8, allowing unauthenticated attackers to execute arbitrary code on the server.
You are affected if you are running Crawl4AI version 0.7.8 or earlier. Upgrade to version 0.8.0 or later to mitigate the risk.
Upgrade Crawl4AI to version 0.8.0 or later. As a temporary workaround, restrict access to the /crawl endpoint using a WAF or proxy.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Crawl4AI project's official repository or website for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.